Understanding Web Authentication: Sessions vs Tokens, Cookies vs LocalStorage